SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #66

August 25, 2015

TOP OF THE NEWS

Appeals Court Reaffirms FTC Power To Police Data Breaches
Exploitation of Ashley Madison Breach Begins; Company Offers Reward

THE REST OF THE WEEK'S NEWS

Malicious Ads on Telstra News Site
"Loose Tweets Destroy Fleets"
Flaws in Dolphin and Mercury Browsers
BitTorrent Tracker Blocks Windows 10
Let's Encrypt to Offer Free TLS Certificates
Possible Jail Time for Man Who Admitted Role in Government Website Attacks
Government Employees Not Abiding by BYOD Security
Ashley Madison CTO May Have Stolen Data From Competitor

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************* Sponsored By ISIGHT Partners **********************

WHITE PAPER: Need help navigating the Cyber Threat Intelligence market? Read this complimentary white paper featuring a recent research note from Gartner, Inc.-"The Market Guide for Security Threat Intelligence Services." Read how Gartner defines the Cyber Threat Intelligence market, exploring use cases, comparing vendors and more in this definitive document. http://www.sans.org/info/179732

**************************************************************************

TRAINING UPDATE

- --SANS Network Security 2015| Las Vegas, NV | September 14-19, 2015 | Join our top-notch instructors in Las Vegas where they will be teaching more than 45 courses. Enhance your information security skills by taking one of our advanced courses in digital forensics, penetration testing, cyber defense, or secure app development. SANS Network Security 2015 also offers specialty courses within the fields of Industrial Control Systems, Security Management, IT Audit, and Legal.
http://www.sans.org/u/5ZT

- --Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact. http://www.sans.org/u/53N

- --SANS Virginia Beach 2015| Virginia Beach, VA | August 24-September 4, 2015 | 13 courses
http://www.sans.org/u/5Zz

- --SANS Chicago 2015| Chicago, IL | August 30-September 4, 2015 | 8 courses
http://www.sans.org/u/5ZO

- -- SANS Baltimore 2015| Baltimore, MD | September 21-26, 2015 | 4 courses
http://www.sans.org/u/7tq

- -- SANS DFIR Prague 2015 | Prague, Czech Republic | October 5-17, 2015 | 11 courses
http://www.sans.org/u/7tF

- -- SOS: SANS October Singapore | Singapore, Singapore | October 12-24, 2015 | 8 courses
http://www.sans.org/u/7tK

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy

Plus Milan, Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI
***************************************************************************

---

TOP OF THE NEWS

Appeals Court Reaffirms FTC Power To Police Data Breaches (August 24, 2015)

The US Court of Appeals for the Third Circuit has issued a unanimous ruling that the Federal Trade Commission (FTC) has the authority to bring enforcement action against companies that fail to provide adequate sufficient protection against cyber security breaches. The ruling, which upholds a lower court decision in favor of the FTC, allows the agency to proceed with a lawsuit alleging that Wyndham Worldwide Corp. failed to employ adequate security protections for customers' personal data. Wyndham maintained that the FTC was overreaching its authority and that the company was being punished for being a victim of a cyber attack.
-http://thehill.com/policy/cybersecurity/251803-appeals-court-ftcs-authority-exte
nds-to-cybersecurity
-http://www.wired.com/2015/08/court-says-ftc-can-slap-companies-getting-hacked/
-http://www.darkreading.com/perimeter/ruling-ftc-can-hold-wyndham-liable-for-data
-breach/d/d-id/1321881?
-http://www.computerworld.com/article/2975054/security/ftc-can-bring-down-the-ham
mer-on-companies-with-sloppy-cybersecurity-court-rules.html
-https://hoofnagle.berkeley.edu/ftcprivacy/wp-content/uploads/2015/08/wyndham_3rd
_cir_14-3514.pdf
[Editor's Note (Pescatore): Good to see the court system continually re-affirming the FTC's authority to continue to go after companies that claim to protect users data but actually ignore basic security and privacy hygiene. While Congress has been debating about threat information sharing for a decade, the FTC has been busy actually helping improve security and privacy. ]

Exploitation of Ashley Madison Breach Begins; Company Offers Reward (August 21, 2015)

People whose Ashley Madison account information was exposed in recent data dumps are being blackmailed by opportunists, and sketchy websites offering to remove data from the Internet for a significant fee are springing up. There are also unconfirmed reports that at least two people have taken their own lives because their names were included in the leaked data. Ashley Madison parent company Avid Life Media is offering CAD $500,000 (US $377,000) for information leading to the arrests of those responsible for the data theft.
-http://arstechnica.com/security/2015/08/exposed-ashley-madison-members-targeted-
by-scammers-and-extortionists/
-http://krebsonsecurity.com/2015/08/extortionists-target-ashley-madison-users/
-http://www.bbc.com/news/technology-34044506
-http://www.smh.com.au/digital-life/digital-life-news/ashley-madison-two-unconfir
med-reports-of-suicide-linked-to-hack-say-police-20150824-gj6s4o.html
-http://www.v3.co.uk/v3-uk/news/2418412/ashley-madison-cheating-site-hack-leaves-
37-million-users-exposed
-http://www.wired.com/2015/08/ashley-madison-offering-500k-reward-info-hackers/
-http://www.zdnet.com/article/first-ashley-madison-suicides-reported/

---

**************************** SPONSORED LINKS ******************************
1) Download the free eBook: Next-Generation Endpoint Security for Dummies: http://www.sans.org/info/179737

2) What Works in Vulnerability Management: Lifecycle Vulnerability Management and Continuous Monitoring with Rapid7 Nexpose: Tuesday, September 08 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Chris Prewitt. http://www.sans.org/info/179742

3) What Works in Reducing Web Application Vulnerabilities: Using to WhiteHat Sentinel to Increase Application Security Before and After Production Deployment: Thursday, September 10 at 3:00 PM EDT (19:00:00 UTC)featuring John Pescatore. http://www.sans.org/info/179747
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Malicious Ads on Telstra News Site (August 24, 2015)

Attackers managed to plant malware in advertisements that appeared on the news site of Australian telecommunications company Telstra. The malware aims to redirect users to malicious sites hosting an exploit that attempts to infect users' computers with the Tinba banking Trojan. Telstra itself was not compromised; instead, the attackers made their way onto the site through advertising networks.
-http://www.theregister.co.uk/2015/08/24/popped_telstra_news_spews_banking_trojan
/
-http://www.scmagazine.com/malvertising-on-telstra-website-similar-to-plentyofish
-attack/article/434343/

"Loose Tweets Destroy Fleets" (August 24, 2015)

The US Air Forces Central Command has released an Operations Security (OPSEC) notice reminding soldiers that "Loose Tweets Destroy Fleets." The memo urges soldiers to think carefully about what they post, especially about vital missions, and to make sure the security and privacy settings on their social media accounts are set to protect their personal information.
-http://www.csmonitor.com/Technology/2015/0824/Air-Force-warns-that-loose-tweets-
destroy-fleets
-http://www.afcent.af.mil/News/ArticleDisplay/tabid/136/Article/613568/opsec-be-s
afe-be-smart.aspx
[Editor's Note (Northcutt): Here is the classic on which it is based:
-http://www.amazon.com/Loose-Ships-20x30-Poster-Paper/dp/B0046OFEZW]

Flaws in Dolphin and Mercury Browsers (August 24, 2015)

Vulnerabilities in Dolphin and Mercury browsers for Android could be exploited to execute code remotely. Dolphin has approximately 100 million installs; Mercury has approximately one million. The developers for both browsers have released patches for the vulnerabilities.
-http://www.scmagazine.com/popular-android-browsers-open-to-hackers/article/43432
5/
-http://www.theregister.co.uk/2015/08/24/hacker_slaps_dolphin_mercury_browsers_sq
uirts_zero_day/

BitTorrent Tracker Blocks Windows 10 (August 24, 2015)

BitTorrent tracker iTS now blocks users running Windows 10 from using their website to access torrents because of the new operating system's privacy settings. iTS maintains that Windows 10 tracks "every action, email, conversation, video, picture, or anything else that you do on your computer." Microsoft shares the information it collects with an anti-piracy company. Other BitTorrent trackers are considering following iTS's lead.
-http://www.zdnet.com/article/bittorrent-tracker-blocks-windows-10-users/

Let's Encrypt to Offer Free TLS Certificates (August 24, 2015)

The Let's Encrypt project will allow just about any website to use free Transport Layer Security (TLS) certificates to protect site visitors. The program is scheduled to launch on September 7, 2015, when it will issue "a small number of
[certificates ]
to white-listed domains." Wider availability is expected by November 16, 2015.
-http://www.zdnet.com/article/securing-the-internet-lets-encrypt/
-https://letsencrypt.org
[Editor's Note (Northcutt): It is a novel idea. A Certificate Authority focused on making the Internet safer instead of getting rich taking money from people to give them a set of bits. This may even amount to bragging rights to have one of their CERTS. HTTPS may not be perfect, but it is better than any alternative we are likely to have in the foreseeable future, so focus on the best possible implementation. Follow the Twitter feed to stay up on their progress:
-https://twitter.com/letsencrypt?lang=en
-https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web
-http://www.sans.org/reading-room/whitepapers/vpns/pki-trust-models-trust-36112]

Possible Jail Time for Man Who Admitted Role in Government Website Attacks (August 19, 2015)

Charlton Floate, a 19-year-old from the UK, could face incarceration for his role in taking down government websites in the UK and the US. Floate helped orchestrate distributed denial-of-service (DDoS) attacks against the websites of the FBI and the UK's Home Office. He bragged about his activity online. Floate admitted to changes under the Computer Misuse Act.
-http://www.dailymail.co.uk/news/article-3203894/British-teenager-team-hackers-ca
used-government-websites-UK-USA-crash.html

Government Employees Not Abiding by BYOD Security (August 21 & 24, 2015)

According to a survey of 1,000 US government employees, many are not heeding BYOD (bring your own device) mobile security policies. Nearly a quarter of those surveyed send work documents to their personal email accounts. Seventeen percent said they stored work-related documents on personal file-sharing apps. Employees also said they have jailbroken or rooted their devices and loaded applications that are not from official app stores.
-http://www.zdnet.com/article/securing-the-internet-lets-encrypt/
-http://www.eweek.com/small-business/mobile-device-security-ignored-by-federal-wo
rkers.html
-http://www.scmagazine.com/survey-found-37-percent-of-federal-employees-would-sac
rifice-security-for-mobile-convenience/article/433928/
[Editor's Note (Pescatore): Usual disclaimer here about vendor-funded surveys. I think a better title for the results would be "US Government Fails to Implement Secure Mobility - Employees Forced to Take Security Risks" Of the 24% sending documents to personal email (or to Dropbox), I'll bet the vast majority were doing so to get their job done with no approved secure way of doing so. ]

Ashley Madison CTO May Have Stolen Data From Competitor (August 24, 2015)

Information in emails included in the most recent Ashley Madison data dump indicates that the company's CTO may have broken into a competitor's system and stolen "their entire user base" prior to November 2012.
-http://www.wired.com/2015/08/ashley-madison-leak-reveals-ex-cto-hacked-competing
-site/

---

STORM CENTER TECH CORNER

Samsung Smart Fridge Vulnerabilities
-http://www.pentestpartners.com/blog/hacking-defcon-23s-iot-village-samsung-fridg
e/

Remote Access Security
-https://isc.sans.edu/forums/diary/Are+You+Protecting+your+Backdoor/20069/

Amazon No Longer Allowing flash in Ads
-http://advertising.amazon.com/ad-specs/en/policy/technical-guidelines

iPhone "Quicksand" Vulnerability
-https://www.appthority.com/enterprise-mobile-threats/2015/08/19/quicksand-a-new-
enterprise-ios-vulnerability/

Backdooring Javascript With Minifier
-https://zyan.scripts.mit.edu/blog/backdooring-js/

Decline in Malware From Windigo Group
-https://isc.sans.edu/forums/diary/A+recent+decline+in+traffic+associated+with+Op
eration+Windigo/20065/

ZScaler Associates Recent Malware Spike with Wordpress Exploits
-http://research.zscaler.com/2015/08/neutrino-campaign-leveraging-wordpress.html

Predictable Android Lock Patterns
-http://arstechnica.com/security/2015/08/new-data-uncovers-the-surprising-predict
ability-of-android-lock-patterns/

Apple Update for QuickTime
-http://support.apple.com/kb/HT1222

PlentyOfFish Targeted by Malicious Ads
-https://blog.malwarebytes.org/malvertising-2/2015/08/malvertising-hits-online-da
ting-site-plentyoffish/

Microsoft Only Published "Significant" Vulnerability details for Windows 10
-http://www.theregister.co.uk/2015/08/21/microsoft_will_explain_only_significant_
windows_10_updates/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/